Something you’ll hear in policy debates on the environment: windmills are a great idea and obviously good for the environment, but we don’t want them in our backyard. This argument doesn’t just apply to the debate on the environment, but apparently also in the debate on privacy protection. Representatives from industry speak convincingly about what privacy is good for others, but that they would rather not see the rules applied to them.

The new European data protection regulation is the most lobbied piece of legislation thus far because the subject is very important and touches upon almost every aspect of our daily lives. Therefore EDRi member Bits of Freedom used the Dutch freedom of information act to ask the government to publish all the lobby documents they received on this new law. Bits of Freedom published these documents on their website with their analysis in a series of blogs. What parties lobby? What do they want? What does that mean for you? These nine blogposts are now translated into English for the EDRi-gram. This is part 6.

Everything is great, but…

The lobby letters all share a generally positive tone of voice. Many letters start off with: “we welcome the provisions.” Other parties think the regulation is an important step to further regulate the economy and to increase consumer trust. These sentences are often followed by a “but”, in which case the letter moves onwards to exceptions. The data protection regulation contains numerous exceptions, with the main ones at the end of the text, with the aim of defending research, archiving, journalism, and religion. According to organisations, these exceptions aren’t enough, and therefore they lobbied for more.

Not for our sector!

These new rules are important, but also problematic for the lobbyists for specific sectors. There are many letters from archives that say they are unhappy. In a letter to the Dutch Ministry of Justice, the Cadastre and the Chamber of Commerce say that the new privacy law should take archives and registers better into account. They for example don’t think it would be fair if people could delete their data.

After all, this wasn’t the case in the previous privacy law, they say. According to that law, the right to restrict processing wasn’t applicable to these kinds of registers. Furthermore, the organisations ask the government to critically evaluate the commercial reuse of public sector information, by which they also refer to open data and privacy. This is a relevant question. As they say in their letter, it “runs into a lot of public resistance, based on privacy concerns.”

Medical research

What’s also striking is that many Dutch health research institutions are unhappy with the exceptions for scientific research. The Hartstichting (heart foundation) says “we have our own ethical standards”. In their letter, they explain that they use different methods to obtain consent, and that they employ their own ethical commissions to evaluate data processing.

Judges

Judges also want an exception. In a letter of the “European Network of Councils of the Judiciary”, a European body for the national councils of the judiciary, they say that it would be worrisome if there were to be insufficient exceptions for judges. They for example want to prevent that correspondence or emails between judges is accessed as personal data about the person they are discussing.

Housing corporations

According to housing corporations, the proposals “mean quite a lot.” In a letter to the Ministry of Justice, they claim to be sufficiently regulated by “all kinds of policy and legislation” in “more or less fragmented legislation, like for example the cookie law.”

Among other things, they think that they would face an information obligation that would be too extensive under the current proposals. With regards to the right to delete and the right to be forgotten, they say:

Many organisations and in particular housing corporations have complaints mechanisms and complaints commissions. An extension with more complaints opportunities is an unreasonable burden. Also, the right to delete can breach the retention obligation from the proposals.

That’s a bit strange. Because there are already complaints mechanisms, housing corporations want to take away people’s ability to check the accuracy of their data and the ability to remove superfluous information?

Housing corporations have more complaints. They think there are too many burdens, the fines are disproportionate, and they think they should be able to decide how organisations grant access to data. They think there has been little recognition of local interests, and they therefore propose to regulate privacy in a different way: not through one European law, but through a series of obligations that can be translated by Member States themselves in national legislation.

Not for our country!

And the same can be heard from other organisations. “Our country is exceptional, so maybe we should do things differently.” In a letter to the Ministry of Justice, Danske Medier, a large Scandinavian media company, criticises the changes made by the European Parliament:

“Without any discussion – perhaps even by accident – they then wiped away the legal prerequisite for telephone marketing to private households, which is the traditional and most effective way of selling news media in the Nordic countries.”

To them, it’s also about making data available for other organisations:

To a great extent, the high penetration of newspapers and other news media in Norway, Sweden and Denmark is due to the fact that consumers in these countries may be contacted by telephone by certain business sectors, which are fundamental for a viable democracy.

The interesting thing about this is that it means that data processing by third parties should be made easier in the whole of Europe, just to satisfy the requirements of a business model often used by Scandinavian media.

Can’t we fix this ourselves?

CIO, the Dutch ecclesiastical counsel, is not happy with the current way in which the exception for churches is phrased in the text. Dutch churches have their own methods for registration and the administration of data (SILA).

“We recommend you to choose a formulation that delivers more possibilities and autonomy, so that an appropriate form of management and processing of personal data can be formed for the Churches and where the unique SILA system as we know it today is respected in the Netherlands.”

At times justified, but no excuse

At times it can be justified to create exceptions like this. But it is important to stay watchful in cases of self-regulation. Advertisement companies for example also want more self-regulation, as they argue in a letter to the Ministry of Justice. Is that because they have so much confidence in their own ability, or because they want to evade legal obligations?

Ironically, having lobbied for a vast number of exceptions in the EU Regulation, industry groups are now complaining that… you guessed it… there are too many exceptions in the Regulation.

To be continued

Want to continue reading about this? On the Bits of Freedom website, you can find all the lobby documents and the analysis. The next part will be about “privacy schools.”